[Esapi-user] DefaultEncoder - constructor must be synhcronized.
Jim Manico
jim.manico at owasp.org
Sun Aug 1 12:56:58 EDT 2010
Thank you for this report, Shlomo. This is easy to fix, I'll push out a fix this week.
- Jim
On Aug 1, 2010, at 6:02 AM, "Shlomo Rothschild" <shlomor at unisfair.com> wrote:
> Hi,
>
>
>
> I just found out that the call to the DefaultEncoder constructor must be synchronized.
>
> The DefaultEncoder uses HTMLEntityCodec which in turn uses a static HashMap.
>
> When the HashMap is initialized with values by more than one thread it may cause a severe problem.
>
>
>
> In our production environment I found one machine utilizing 25% of the CPU by two threads that are stuck on initializing the DefaultEncoder.
>
> <?xml version="1.0" encoding="utf-8"?>
>
> <stack_trace>
>
> <threadstackframeinfo ="0" class="java.util.HashMap" method="put(java.lang.Object, java.lang.Object)" line="374" source_file="HashMap.java"/>
>
> <threadstackframeinfo ="1" class="org.owasp.esapi.codecs.HTMLEntityCodec" method="initializeMaps()" line="808" source_file="HTMLEntityCodec.java"/>
>
> <threadstackframeinfo ="2" class="org.owasp.esapi.codecs.HTMLEntityCodec" method="<init>()" line="44" source_file="HTMLEntityCodec.java"/>
>
> <threadstackframeinfo ="3" class="org.owasp.esapi.reference.DefaultEncoder" method="<init>()" line="75" source_file="DefaultEncoder.java"/>
>
> </stack_trace>
>
>
>
> Shlomo Rothschild | Chief Architect & CISO | Unisfair
> P: +972.3.6117300#235 | C: +972.54.3150906
>
> www.twitter.com/unisfair | www.facebook.com/unisfair
>
>
>
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100801/9864bc7c/attachment.html
More information about the Esapi-user
mailing list